Merge pull request #14 from snyk/feat/content-curation-exercise

feat: Content Curation Exercise

exercises/security/content-curation.md

@@ -0,0 +1,29 @@
+### Exercise
+This exercise is to assess your detective and content curation skills. It is similar to a typical task you would work on at Snyk.
+
+Vulnerabilities are curated by many organizations, CVE being the most popular. Many public vulnerabilities get an ID in the CVE database.
+
+You are given a CVE ID and asked to discover all information on it. You do not need prior knowledge of security vulnerabilities, but it may help.
+
+You can use any external source available on the internet.
+
+#### Tasks
+On September 7th, 2017, a large company named Equifax announced that it was breached by hackers. The hackers used a known exploit in order to conduct their attack. The exploit was assigned the ID: **CVE-2017-5638**.
+
+1. Build a timeline of when the vulnerability was initially found, to the day Equifax announced the breach.
+We'd like to know any small piece of information, including but not limited to:
+	- What Open Source package is vulnerable? Talk to us in [maven group ids and artifact ids](https://maven.apache.org/guides/mini/guide-naming-conventions.html).
+	- When was the vulnerability initially published? Where?
+	- When was the vulnerability fixed? Can you find the code that fixed it?
+	- When was it added to external DBs? (like CVE, NVD, etc)
+	- What other information can you find? Don't forget to cite all sources.
+2. Write a short blog, about 10-15 lines about the vulnerability. Make sure the post covers some background, why is this important, and what action can the blog reader take to make sure they are not vulnerable.
+3. Knowing what you know now, How would you automate finding this vulnerability? What about future vulnerabilities? The more specific, the less vulnerabilities we'd find. The less specific, the more false positives we get. Find a good balance between the two. This is not a coding exercise, you may explain in writing.
+
+Don't spend too long on this – we appreciate that this is your own time and we don't want to take up more than is necessary. Anything you don't have time to do we can talk through it instead. And if there's something you're struggling with, make a note and move on. At Snyk, you'd have a whole team to support you when you get stuck. :)
+
+When you're finished, let us know and we'll go through the task together.
+
+Any questions? Let us know!
+
+✨ Good luck! ✨